Posts

Countdown to GDPR: Manage Vulnerabilities

Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed. This happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack visibility into their IT assets and their vulnerabilities. To exploit these well-known vulnerabilities, hackers don’t use sophisticated, carefully crafted attacks, but rather aim for volume. “They automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,” states the Verizon study. “The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,” Kaspersky stated. Even if you’re not leaving critical vulnerabilities unpatched for years, you must make sure you’re as quick as possible in your remediation work. “Reducing Attack Surface” and published Nov. 2016 – found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. A good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry. You need global visibility into your systems’ vulnerabilities to stay ahead of attackers, especially today, as digitalization blurs the traditional boundaries of IT perimeters and exposes more and more IT assets on the Internet. VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. These lightweight, all-purpose, self-updating agents reside on the assets they monitor – no scan windows, credentials or firewall changes needed – so vulnerabilities are found faster with minimal network impact. New software vulnerabilities are disclosed daily – to the tune of thousands per year – so organizations must know at all times which vulnerabilities are present in their IT assets – on-premises, in clouds, and on endpoints -; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly. “Vulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. What’s worse, new vulnerabilities come out every day,” reads. Verizon’s 2016 DBIR. If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks, and slash its risk of suffering a data breach, whose consequences could include GDPR penalties. With Qualys VM, you’ll be able to consistently address critical vulnerabilities in your most important IT assets on a timely basis, putting your organization in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps and compromise your customer data.

How Standards and Frameworks Can Help GDPR Compliance

The theft of highly sensitive personal information on 57 million Uber drivers and customers in the Uber data breach – and its subsequent cover-up – is in many ways what the GDPR was invented for. Not only did its data protection controls therefore fall short of the best practice “State-of-the-art” approach outlined in the GDPR, but the firm also failed to report the incident – something which would incur a fine of €10m or 2% of global annual turnover from next May. Cautionary tales like Uber are one thing, but with just six months to go, organisations need more concrete help with GDPR compliance. That’s why I’d recommend looking to already established frameworks and standards to help fill in the gaps. Part of the challenge with GDPR compliance, which many IT leaders are now coming to understand, stems from the legislation’s lack of prescriptive advice on what security controls they should put in place to protect personal data. “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” “Adherence to an approved code of conduct or an approved certification mechanism may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.” UK privacy watchdog the Information Commissioner’s Office goes even further, with a whole page devoted to explaining the value of codes of conduct and certification mechanisms. “Improve standards by establishing best practice.” It helps prove SMEs have in place processes covering five key areas: firewalls and internet gateways; access controls; secure configuration; malware protection; and patch management. For larger firms, we’d recommend looking at ISO 27001: an internationally recognised information security management standard. BS 10012 has been written with GDPR in mind to help with personal information management, while ISO 27018 supports managing personally identifiable information on public clouds – something that could probably have helped Uber out. The truth is that full compliance with additional standards and frameworks like these might not be realistic while you have your hands full with the GDPR. However, it’s worth taking a look because, even if you don’t implement them fully, some of these standards could provide more prescriptive info than the GDPR on what security controls you should use. In this way, “State of the art” as described in the GDPR could be applied more easily through ISO 27001 and 27002, which recommends two-factor authentication for physical entry, network access and more. One final world of warning: while frameworks and standards can help in your GDPR compliance efforts, always be cautious about any provider claiming to offer a one-stop-shop for compliance. Organisations need to be realistic that the GDPR is a highly complex piece of legislation with no easy workarounds.

Community feedback on the new GDPR for WordPress project, created by WordCamp Denmark organizer Kåre Mulvad Steffensen and WP Pusher creator Peter Suhm, has started rolling in after the two launched a survey for developers. The project aims to provide an industry standard for getting plugins compliant with EU General Data Protection Regulation legislation ahead of the May 2018 deadline. 90% of respondents have answered that they would consider implementing a GDPR “File” types solution for their plugins if a standard was available. Only 4.9% of the 40 developers who responded said they have a plan for making their plugins GDPR compliant and 43.9% said they do not currently have a plan. The remaining 24.4% were developers of plugins that do not handle personal data. “Our talks with Paul Sieminski from Automattic and Dovy Paukstys from the Redux options framework have reassured us that we still do have a need for a GDPR structure which can help the community establish a basis for handling GDPR compliance,” Steffensen said. Steffensen and Suhm created a GitHub repository where they have outlined their proposal for a PHP object interface that plugin developers could add to their codebases as a standard way of indicating how their plugins work with personal data. “The nature of such an interface puts some responsibility in the hands of the developer to identify any place personal data is stored,” Steffensen said. “What kind of data it is, and for what purpose as well as how it should be handled upon deletion. The Interface approach will allow a community-wide adoption, without setting limitations on how plugin developers choose to work with their data – something we obviously can’t control.” The idea is that plugin developers could then build other tools on top of this framework using specific functions that correspond to GDPR requirements, such as functions that allow users to access their data, implement the right to be forgotten, report data breaches, and delete and anonymize data. In speaking with Dovy Paukstys on how this could work with Redux, Steffensen said the options framework may be able to facilitate compliance for the 500,000+ sites where it is active and the developers who use it to build plugins. “Our object interface would be something his framework could provide an easy way to utilize for the many developers using Redux. The redux users could essentially do this themselves also, but since Redux is a framework it makes sense to see if they can build something that will make it near instant for developers to provide compliance for the GDPR.”. With 189 days remaining before the GDPR goes into effect, the team will need to work quickly to make a solution available with enough time for interested developers to incorporate it into their plugins. In addition to looking at ways to receive donations, the team plans to keep the survey open for developers for awhile longer to try to make more connections in the community. Steffensen said they hope respondents will help them gain insight on the developer community’s readiness and also enable them to reach out to any plugin owners who could play a key role in a wider adoption.

GDPR: how to avoid the data protection cowboys – Naked Security

Reports from the recent InfoSec 2017 conference suggest that the subject of the General Data Protection Regulation was on the lips of many exhibitors and vendors. This tallies with my own recent experience as a Data Protection Officer, and chair of NADPO: people are becoming aware of the changes that GDPR will bring, and their worries are driving a desire to know more and seek advice. The GDPR marks the biggest change to European data protection law in a generation. Good data protection practice requires good information management, and, with boards preoccupied by the presence of those potential huge fines, data protection officers and similar professionals might just get some of the attention and resources they’ve been crying out for for years. The personal data might only be a visitor’s name, and company contact details, but personal data it still, most surely, is. Current EU data protection law requires that, where you are gathering such data, you tell the data subject who you are, and what you’re going to do with their data. What is true is that when consent is relied upon as a basis to justify processing of personal data, GDPR requires more of an organisation than existing law does, but there are many circumstances where consent is not needed to process personal data. If the vendor doesn’t know this, how are they going to be able to advise on other GDPR matters? Does the vendor emphasise the huge potential fines? I can understand why they do this, but bear in mind that existing UK data protection law already contains the power for the regulator – the Information Commissioner’s Office – to issue fines, and while the ICO sometimes does so, it actually only exercises that power in exceptional circumstances, and there is no reason to think this will be any different under GDPR. Fines are a risk, and they do help focus the mind, but the regulators will not be dishing out lots of them. Finally, and most obviously, who exactly is it who is offering this service or solution? Do they paint GDPR as solely an information or as a cyber-security issue? Is this vendor a person or a firm that has a background in data protection, or is it someone who wasn’t even offering a data protection product a few months ago? These latter types are certainly circling the skies. I didn’t have the energy to tell him that some of the delegates had been reading, and applying, data protection law for many years, some even since 1984. Expertise in data protection is not something acquired overnight. This is all important because data protection is not just about information or cyber-security. Not all non-specialists are awful, and some can helpfully provide a part, maybe a technical part, of a solution, but when it comes to general support and advice for GDPR purposes, choose someone with a clear and demonstrable track record in data protection. So next time you get cold called, or approached at a conference, by someone claiming expertise, why not ask them a tricky question, like “Do you need to show damage before you can claim compensation for distress for a contravention of the Data Protection Act 1998?”. There’s a correct answer to this, and genuine data protection experts should be able to give it.

DocuSign’s Structured Commitment to GDPR Preparation

Like many of our customers, DocuSign is preparing itself to comply with the GDPR requirements, and aligning business practices to potential GDPR use cases. Building on our Strong Commitment to Data Privacy and Security. GDPR readiness is a daunting task, but DocuSign began preparing for GDPR by leveraging a strong history of controls and safeguards evidenced by its recognized certifications. DocuSign is ISO 27001:2013 certified as an ISMS, the highest level of global information security assurance available today. DocuSign also complies with the xDTM Standard, which sets a high-quality bar for digital transaction management, as well as with specialized industry regulations, such as HIPAA, 21 CFR Part 11, FedRAMP authorization, and specified rules from the FTC, FHA, IRS, and FINRA. Building on the foundation these certifications provide, and aided by the discipline necessary to obtain and maintain this wide range of robust certifications, DocuSign is positioned well to meet the controls that will be required by GDPR. Analyzing the Gaps. To build upon DocuSign’s existing certifications, DocuSign sought guidance from well-established privacy and legal professionals who helped interpret and apply the GDPR requirements to DocuSign. This expert team conducted a gap-analysis between DocuSign’s existing compliance-driven common control framework, which includes controls required by DocuSign’s pending Binding Corporate Rules application with the Irish Data Protection Commissioner, and the new requirements of GDPR. DocuSign completed this gap-analysis to determine the tasks that it needed to incorporate across the DocuSign business and systems. The missing GDPR tasks that were identified were then distilled down further using recognized privacy tools that also assist with tracking the completion of such privacy-related tasks. This exercise allowed DocuSign to create a more structured and objectively unifiable approach to implementing and managing each new GDPR task by categorizing them into more understandable bite-sized chunks for the applicable DocuSign departments to digest. In some cases, each task provides sufficient context as to how it relates to the data privacy principles of GDPR. In DocuSign’s experience organizing the tasks into specific categories, such as “Maintain a privacy governance structure” helps provide the applicable departments better insight into the objective of those tasks. Train each of our DocuSign employees on all privacy and security expectations. In parallel to the work being done to identify the missing GDPR tasks, DocuSign formalized its GDPR leadership team with corresponding delegates to attack the tasks that must be completed to reach GDPR readiness. The GDPR team is positioned to drive visibility and transparency to the company’s Executive Team and Board of Directors. Through its GDPR leadership team, DocuSign data protection and GDPR readiness is active and underway with visibility throughout the company. The implementation of such compliance driven programs is not new to DocuSign and like its other certifications, DocuSign remains committed to approaching this initiative diligently with the utmost focus on securing and maintaining customer trust.

GDPR consent design: how granular must adtech opt-ins be?

This note examines the range of distinct adtech data processing purposes that will require opt-in under the GDPR. In late 2017 the Article 29 Working Party cautioned that “Data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes”. Recital 42 of the GDPR notes that “For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing”. A consent request should be made with granular options for each of these purposes, and the names each controller that processes personal data for each of these purposes. Any individual controllers who intend to process data for their own unique purposes will need further granular opt-ins for these purposes. Even if all controllers pursued an identical set of purposes so that they could all receive consent via a single consent dialogue that contained a series of opt-ins, there would need to be a granular set of consent withdrawal controls that covered every single controller once consent had been given. The GDPR gives European Member States the latitude to enact national legislation that prohibits consent as a legal basis for processing of special categories of data. Consent for website and app publishers is certainly an important objective, but the personal data it provides must only be processed after data leakage has been stopped. Using non-personal, rather than personal, data neutralizes the risks of the GDPR for advertisers, publishers, and adtech vendors. We recently revealed PageFair Perimeter, a regulatory firewall that blocks party data leakage, and enables publishers and adtech partners to use non-personal data for direct and RTB monetization when consent is absent. These cookies contain no personal data, and obtaining consent for their storage is significantly less burdensome than obtaining consent for to process personal data for multiple purposes and multiple controllers. Regarding the purposes for which data have been sold, and to what category of customer, see “Data brokers: a call for transparency and accountability”, Federal Trade Commission, May 2014, pp 39-40, and B3-B. The GDPR, Recital 42. The GDPR, Article 9, paragraph 2, a. See “Consent to use personal data has no value unless one prevents all data leakage”, PageFair Insider, October 2017. As Recital 26 of the GDPR observes, “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. The Article 29 Working Party demonstrates what this means in practice: “When consent is obtained through only one mouse-click, swipe, or keystroke, data subjects must be able to withdraw that consent equally as easily”. The guidance also says that “Where consent is obtained through use of a service specific user interface, there is no doubt a data subject must be able to withdraw consent via the same electronic interface, as switching to another interface for the solve reason of withdrawing consent would require undue effort”.

special-insights

The General Data Protection Regulation will enter into force on the 25 May 2018 and is regarded as the most significant change to the European data protection landscape in twenty years. What is the GDPR? The GDPR will regulate the processing of personal data inside the EU and of EU residents. The GDPR will replace EU and national data protection legislation. In Ireland, the GDPR will replace the 1995 Data Protection Directive, which is the EU legislation on which the primary Irish data protection legislation, the Data Protection Acts 1988 and 2003, is based. Who is affected by the GDPR? The GDPR will apply to EU organisations processing personal data and also to non-EU organisations where they offer goods and services to EU residents or monitor their behaviour, even if that processing does not take place in the EU. The extension of data protection legislation to also cover organisations outside the EU is new and will be a challenge for those organisations. Does your organisation have a DPO or need to appoint one? EU Representative Organisations that are not established within the EU but which are subject to the GDPR will be required to appoint an EU representative to act as a point of contact with data protection authorities. Does your organisation have a data protection programme and is it able to provide evidence of how it complies with the requirements of the GDPR? New data subject rights Data subjects have enhanced rights under the GDPR, for example, the right to erasure, the right to data portability and the right to object to profiling. In cases of high risks for the data subjects, data subjects generally must also be notified. Data controllers will also be required to maintain an internal breach register documenting incidents of data breaches and the remedial action taken. Does your organisation know how to carry out DPIA’s? Privacy by design and by default Organisations need to ensure that data protection is at the forefront of any new service, product, business system or process development plans, as these must be developed with privacy in mind. Do you design and build in data protection and privacy requirements into your products, services, business processes and systems? Data processors The GDPR imposes specific obligations on data processors and more detailed provisions that must be included in controller-processor contracts. Current contracts with data processors should be reviewed to ensure that they meet the GDPR’s requirements. How to prepare for the GDPR. Organisations should familiarise themselves with the requirements under the GDPR. Following this, organisations should review all data processing activities currently undertaken and envisaged by it in order to identify any gaps in compliance with the GDPR and the associated risks. Under which data processing occurs and ensure that these are in line with the GDPR. The sooner you begin to prepare for the GDPR, the more you will minimise the risks and reduce the likelihood of fines being imposed. Review existing contracts, privacy notices, data protection policies and other documentation and update these to comply with the GDPR. Provide template and bespoke contracts, privacy notices, data protection registers etc.

BOSTON-()-Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced new automated product functionality in the Onapsis Security Platform specific to GDPR compliance mandates. This functionality will allow Onapsis customers to quickly evaluate if SAP systems are meeting the requirements of this mandate to protect EU data subjects information. As with any new policy, the first stage is to identify those SAP systems that are in scope. Research conducted by the UK & Ireland SAP User Group shows 86% of SAP users do not fully understand how GDPR will affect their SAP landscapes and how to reach compliance. It is almost certain GDPR will have an impact, in some way or another, on any company large enough to have chosen SAP, which touches all aspects of a business. In fact almost every SAP system includes GDPR’s core element: personal data. “In speaking to our customers, we know that GDPR is a complicated mandate and many organizations are struggling to determine if or how their SAP landscapes are relevant. With this in mind, Onapsis’s newly released audit policy within the Onapsis Security Platform automatically evaluates any SAP system through the lens of the data protection requirements of GDPR. This includes both data at rest, data in transit and the assessment of data access or authorizations,” commented Alex Horan, Director of Product Management, Onapsis. Through the execution of this new policy, enterprises leveraging OSP can identify SAP systems that do not have adequate protection of the data and processes. For further understanding of GDPR and how it affects SAP, download the recently released white paper from the Onapsis Research Labs titled, “SAP and GDPR: Keeping Your Organization Ahead of the Upcoming EU Law.”. Onapsis’s Director of Product Management, Alex Horan, will host a live webcast to help organizations understand the complex issue of GDPR and SAP on December 19th at 9:00am and 1:00pm EST. Register here for the webcast. Onapsis cybersecurity solutions automate the monitoring and protection of your SAP and Oracle applications, keeping them compliant and safe from insider and outsider threats. Onapsis’s solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC. Onapsis solutions include the Onapsis Security Platform™, which is the most widely-used SAP-certified cybersecurity solution on the market. These solutions are powered by the Onapsis Research Labs, who continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts at the Onapsis Research Labs were the first to lecture on SAP cyberattacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™.

Balancing act: Ensuring compliance with GDPR and US regulations

The impending GDPR, which will go into effect in a little less than a year from now, is going to have a significant impact on enterprise cybersecurity and data governance policies and practices beyond the European Union, significantly impacting global organizations based in the United States that handle data on EU citizens and residents. As part of GDPR, many types of personally identifiable information will be protected, such as banking information, health records and government identity records, as well as any data that can be tied back to a data subject such as geo-location data from a cell phone, home address or data from a medical device. Organizations will need to gain a complete picture of all data that is collected, stored or processed. Companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used, proper procedures for backing up and archiving data and data retention and destruction policies. Any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place. The US, of course, does not have an over-arching data protection law. Data protection measures are buried within numerous laws and regulations. Organizations based in the US that hold data on European customers now have the daunting task of keeping track of each US regulation, while ensuring that they become one hundred percent compliant with GDPR. Given the numerous new requirements mentioned above, it’s enough to make any seasoned IT or data governance professional dizzy. The good news is that GDPR’s requirements for data protection are in line with most regulations in the U.S. For example, there is nothing in the NIST Cybersecurity Framework that conflicts with the data protection practices required by GDPR. These organizations should not treat Americans’ and Europeans’ data in different ways. If EU data was better protected than U.S. data, that would lead to potential liability in civil courts. Through an in-depth ILM approach, organizations will be able to better manage the immense amounts of data and metadata collected through an information system, tracking it from creation and initial storage to the time when it’s no longer needed and is destroyed, while at the same time providing specific criteria for managing the data storage. When ILM is implemented, there will be automated processes to classify data into tiers according to policies. Once information is collected, the decision must be made to only keep data that has been explicitly asked for. All other data, such as time and geo-location, will likely be classified as PII under GDPR. During the data storage process, long term archiving care should be taken to understand where it all resides – is it moved to a third party? Who has access to it? Are there backups? Knowing the answers to these questions will go a long way in remaining compliant with all necessary regulations. At the end of the day, an organization’s CEO and Board of Directors are ultimately responsible for GDPR compliance and ensuring that practices are balanced with all other cybersecurity and data privacy regulations that must be adhered to depending on location and industry.

GDPR Services

With the right approach, the upcoming General Data Protection Regulation obligations can be a business opportunity rather than a burden. As organisations get to grips with their GDPR obligations, BAE Systems believes the regulation can be an opportunity rather than a burden if addressed in the right way. An opportunity to use data as a true business asset for: Managing your compliance obligations by adopting a privacy-led operating model and enabling a privacy culture across the organisation. Harnessing the power of your data by promoting effective and privacy compliant data management practices that enable business to capitalise on the value of data, translate big data analytics into concrete business insights and promote rich data-driven services. Safeguarding your data by establishing a robust and efficient data privacy and data security controls framework and enabling privacy by design and by default. Enhancing brand trust by promoting a transparent privacy model and rethinking value exchange to enable better customer engagement. Our data and privacy experts explore the implications of GDPR both from a compliance perspective and as a business enabler. Our GDPR services include: GDPR Readiness Assessment – Conduct a targeted assessment to understand your existing data privacy posture, identify potential GDPR compliance gaps and high risk areas and define a pragmatic remediation roadmap to meet your regulatory obligations. Data Inventory and Data Mapping – Execute a detailed data analysis and data mapping exercise driving the identification of your critical data assets and corresponding data flows, enabling you to focus security and privacy efforts where it matters. Privacy by Design Framework – Develop an effective policy and process framework, supplemented by a robust Privacy Impact Assessment approach, adequate change management, architectural and design guidelines and artefacts, allowing you to drive privacy by design and by default across the organisation. GDPR-led Technology Transformation – Design and implement technology solutions or changes to the existing technology landscape in order to help you meet your GDPR obligations through appropriate tooling, including but not limited to data warehousing solutions, automated data archiving and deletion procedures and organisation-wide consent management solutions. GDPR Readiness Programme – Support the end-to-end GDPR readiness activities through a clearly defined programme of work that focuses on achieving your compliance objectives using a risk based approach, optimising existing data-driven services and technology solutions, helping you protect personal data across the estate and to promote brand trust. GDPR Stress Testing and Assurance – Provide comprehensive GDPR programme assurance services, as well as simulated GDPR stress testing including: data breach simulation and incident management process review, subject rights testing and response evaluation, and data management practices review and resilience testing. Privacy Training and Awareness – Leverage a user-centric approach to communication, education and service design to develop a tailored GDPR training and communication plan which will enable you to build a privacy-first culture and drive effective behavioural change across the business.

The clock is ticking on GDPR: Is your business ready?

Despite having almost two years to prepare for the General Data Protection Regulation, there are companies across the globe that have done little to avoid the hefty fines for non-compliance, despite being directly affected by the new law. A big reason for the lack of preparedness is a misunderstanding of what businesses will have to do to comply in the first place. While the legislation comes from the EU, businesses don’t have to be based or even have a point-of-presence in the Euro zone to face hefty fines. Whether you are a small e-retailer that sells niche products to a select few customers in the EU or a global behemoth on the scale of Amazon, you’ll need to cross check your existing policies with the GDPR. This is the biggest point of confusion for most businesses, as the GDPR doesn’t necessarily speak to data sovereignty so much as a business’ behavior and efficacy in providing the best protections. Any organization collecting a subject’s genetic data, health information, racial or ethnic origin, or even religion will need to appoint an officer that can act as a dedicated point of contact for authorities monitoring compliance. Along with allocating manpower that will specifically be tasked with vetting these details to assure compliance, there are a few key points of the legislation that businesses will need to zero in on as a starting point. Many of the measures here are relatively baseline in the context of the current cybersecurity climate, putting into law many of the practices that most businesses would have already needed to implement to succeed in a global market. These include implementing gateways to inspect web traffic that might be accessing or transmitting an organizations customer data, along with encryption that speaks to the latest security protocols – Transport Layer Security, for instance – most internet traffic adheres to. Articles 17 and 18 dictate the “Right to portability,” for instance, which allows subjects to transfer their PII between independent service providers with greater ease, as well as the “Right to erasure,” where subjects can request that a business scrubs their PII from their data stores under certain extenuating circumstances. The driving factor here is to give customers greater choice in the services they take advantage of, not beholding them to certain contracts that might be making their PII vulnerable to a data breach. Data breaches specifically are discussed in Articles 31 and 32. The former holds businesses to a 72-hour deadline to alert customers who were subject to a personal data breach once the company uncovers the compromising incident. Article 32 takes this a step further by requiring data controllers waste no time in notifying compromised subjects, or else they could face immediate penalties and have a weakened defense should litigation take businesses to EU courts. The good news for many businesses that have been dragging their feet is that a lot of the protocols that the GDPR makes law are already roundly considered best practice for any business taking part in the digital economy. Despite this, the GDPR protections are more wide-ranging than any preceding measures taken on a multi-national scale, so businesses need to be vehement in cross checking their existing security infrastructure with the GDPR to avoid penalties that no business can easily afford to stomach.

OpenText Blogs

There are now just over nine months until the day on which GDPR applies to all organizations across the EU – including the UK. The fact is that on 25 May 2018 there will still be a number of grey areas in the legislation does not reduce the obligation on EU entities processing personal data, or non-EU entities providing services into the EU, to be in compliance with the regulation. What does ‘compliance’ really mean? How does an organization prove it is compliant?At this point, there is no compliance certification mechanism. I struggle to imagine how there could ever be an effective compliance certification in relation to a law whose ultimate interpretation is decided in law courts. There can be evidence of ‘best efforts’ to meet the obligations. What might those best efforts look like? In simple terms, I think there are two aspects: the first is that personal data is actually protected against breaches, and the second is that it is easy for data subjects to exercise all their rights in relation to their data. An effective ISMS – one which considers risks to the rights and freedoms of data subjects as well as to the reputation and performance of the data controller or processor – is the starting point for effective data protection. Cyber Essentials, ISO 27001 certification, regular penetration testing, data encryption, staff training and awareness, and robust incident response processes are all essential components of an effective ISMS. Clear privacy notices, carefully thought-through mechanisms for facilitating the exercise of data subjects’ rights and a robust and agile data subject access process are key elements of an effective personal information management system. A PIMS is driven by a data protection policy and should include all the processing records and evidence of compliance with the six data protection principles that will enable you to demonstrate that you have indeed put your best foot forward to meet your compliance obligations. Of course, effective data protection and robust subject rights’ processes are likely to make significant contributions to helping you avoid ever having to report a data breach to the ICO or to having to respond to a legal action from a data subject. In a sense, avoiding those two outcomes will be a substantial demonstration that you have met – and are continuing to meet – your GDPR compliance obligations. Alan is the founder and executive chairman of IT Governance. He is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. Alan wrote the definitive compliance guide, IT Governance: An International Guide to Data Security and ISO27001/ISO27002 5th edition, which is the basis for the UK Open University’s postgraduate course on information security. This work draws on his experience of leading the world’s first successful implementation of BS7799. Other books written by Alan include: The Case for ISO27001, ISO27001 – Nine Steps to Success, Risk Assessment for Asset Owners, IT Governance: Guidelines for Directors, IT Governance: A Practitioner’s Handbook and IT Regulatory Compliance in the UK. Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

Enforce Encryption on all endpoints – Laptop Encryption as a Service – AlertSec

Reduces the negative impact on individuals: in the event of a laptop theft or hacker access to stored data, the encrypted data remains unusable; increases the effectiveness of data protection policies by raising awareness across the organization of the importance of privacy and security measures; reduces the cost of addressing problems such as loss or theft of laptops and mobile devices. Organizations are increasingly storing and sharing data via cloud-based services that provide good encryption and key handling. Encryption will need to cover the data you know about in documents and spreadsheets on computers, and the data you may not be aware of: background copies that are downloaded to the computer hard-drive by apps even when processing cloud-based data; the copies shared between staff and third party subcontractors on removable media; hidden data such as author details embedded in documents; IP addresses embedded in emails; and login credentials stored by browsers. AlertSec provides strong protection against accidental loss of all data on endpoint devices: on computers and removable media, in files and documents, embedded in emails and browsers. Extend encryption to third party data processors and enforce data protection code of conduct agreements. The GDPR sets out data security obligations for data controllers and data processors, whereby personal data must be protected against unauthorized access using appropriate organizational and technical measures. Encryption of personal data; on-going reviews of security measures; redundancy and back-up; regular security testing. The AlertSec Service provides data protection as a service. Compliance Module Description Full Disk Encryption Automatic encryption for any digital personal or sensitive data on the computer. AES-256 encryption for maximum protection, certification to FIPS 140-2, Common Criteria EAL4 and BITS. Media Encryption/Port Control Media Encryption automatically encrypts any personal data stored on removable storage media such as USB sticks and external hard drives based on policy. Encryption for third parties Monitor and enforce full disk encryption policies across third party data processor service providers. AlertSec help-desk processes for password reset and data recovery are designed to ensure devices are unlocked only for the authorized user. Provide training for employees and third party suppliers to ensure that USB sticks are encrypted when sharing or moving data; Pre-boot authentication: check whether pre-boot authentication should be implemented to support your corporate policies and update user policies as appropriate; Encryption for Third Parties can help to support service provider compliance with your data protection codes of conduct; Two factor authentication for administrators can strengthen protection against unauthorized access to the AlertSec admin console. Ensure employees and service providers know how to respond to requests from data subjects, know how to recognize and respond to a potential data security incident, and understand their obligations relating to data security and privacy. Use the regular customer communications from AlertSec to support employee training, to raise service provider awareness, to inform executives of changing cyber-security threats and risk mitigation advice, and to keep data protection and security at the forefront of everyone’s minds.

GDPR is now.

In many cases companies simply do not yet know they have been breached and unknown breaches are estimated to make up a sizeable share of all data theft. Contrary to the media-hackneyed portrayals of hackers as some young bored IT genius in his bedroom or organised crime gangs, companies often find the majority of data breached is in fact by employees, contractors or consultants. The EU’s twenty year old Data Protection Directive has been updated: enter General Data Protection Regulation. GDPR comes into force in mid-2018 and is designed to protect the personal data of any EU citizen and so is applicable to any organisation processing it, within the EU and globally. Accompanying the GDPR imperatives are eye-catching penalties – €20m or 4% of annual GDP, whichever is higher – and enforcing national Data Protection Agencies including the ICO in the UK, CNIL in France and BDSG in Germany. With growing threat of a data breach and the associated reputational and financial costs, along with the burden of imminent enforcement of GDPR, companies are asking, “How do we secure the data?” Trends in data collection, aggregation, analysis and distribution mean that data protection is now a board room topic. New titles like Chief Information Security Officer, Chief Data Officer, Data Protection Officer and Security Officer are becoming more common place and the people in these roles are increasingly empowered with executive responsibilities. As companies focus on data protection, there is a general realisation that it is no longer sufficient to secure data silos in isolation because data is proliferated to non-secure systems across the enterprise. Data protection is now a stand-alone discipline that demands security across the enterprise and companies are mobilising teams with the business, IT and data protection expertise required to find solutions. GDPR supports this approach specifying that all data-processing programs must apply ‘Privacy by Design’ to ensure protection during business-as-usual operations, from deployment throughout the data lifecycle. GDPR endorses the concept of pseudonymisation for data privacy and when supported by technologies such as tokenisation which protect data itself at rest and in use, considers it safe for transfer across borders and in the event of a data breach. Simply put, tokenisation is a reversible security method that replaces sensitive data with fake data that looks and feels just like the real thing, protecting data and its value while making it worthless to potential thieves. Properly implemented, tokenisation allows organisations and individuals to operate effectively without the risk of exposing sensitive data: Database Administrators and SOs can perform their roles without access to the data itself, business processing remains compliant regardless of data sovereignty implications and analysts can be limited to view only data they specifically need, for example year of birth and gender, without access to any other sensitive information. Companies are exploring what maintained compliance will mean for them, performing internal audits, identifying exposures and accelerating adoption of a “Data first” protection discipline. While enterprise data protection requires commitment now and the GDPR go-live date provides a visible deadline, let’s not forget the intermediate risk of a data breach is much more immediate.

Your connection to relevant Mainframe and AS400 news and updates

Circle May 25th, 2018 on your calendar if you’re doing business in the European Union or have customers in the EU. Starting that day, any organisation collecting personal data on any EU citizen will be subject to the EU’s General Data Protection Regulation, otherwise known as Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. Extend the scope of the EU data protection law to ALL foreign companies processing the data of EU residents Harmonize data protection regulations throughout the EU, making compliance easier for non-European companies while also insuring the free flow of personal data between member states. The GDPR replaces the 1995 data protection directive which had resulted in fragmentation in the implementation of data protection across the EU. Who does GDPR apply to? The GDPR covers personal data collected for data subjects based in the EU. It applies to the following organisational types that collect or process personal data on EU residents. Data controllers residing in the EU -Organisations that collect personal data from EU residents. Processors residing in the EU – Organisations that process personal data on behalf of EU Data Controllers, including cloud providers. Organisations outside the EU who collect or process personal data of EU residents. It’s worth noting that there’s a separate EU legal act covering personal data for law enforcement activities, the execution of criminal penalties, and the prevention of threats to public safety, all of which are not covered under the GDPR. GDPR compliance also doesn’t apply to personal data associated with deceased persons. Violations relating to the legal justification for processing, lack of consent, data subject rights, and cross-border data transfers can result in penalties of up to twenty million euros or up to 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher. The regulation states that “Appropriate technical and organisational measures be taken to ensure that the requirements of this regulation are met.” Organisations must design data protection safeguards into their products and services, including pseudonymisation/encryption of personal data. Per the GDPR, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her” Consent can be given by a written statement, electronic means, or by an oral statement. The data subject should be “Aware at least of the identity of the controller and the purposes of the processing for which the personal data is collected.” Consent is not considered freely given if the data subject has no free choice in the matter or is unable to withdraw or refuse consent without detriment. A data subject has the right to have his or her personal data “Erased” and no longer processed when the personal data is no longer necessary, the subject has withdrawn his or her consent, the subject objects to the processing of their personal data, or where the processing does not comply with the regulation. Where processing is based on the data subject’s consent, the controller should be able to demonstrate consent has been given to the processing operation. GDPR compliance is a complicated, with significant responsibilities for any organisation collecting and processing the personal data of EU residents.

GDPR is coming, and data management platforms are in the crosshairs

Data management platforms play an increasingly important role in helping digital marketers find high-value audiences, largely based on third-party data collection without much transparency. With the General Data Protection Regulation being enforced in May, DMPs may face a tough battle to obtain third-party data. The GDPR will change that, as it demands that personal data – including data collected through cookies – can only be used with explicit consent from individuals. That means DMPs will face more legal obligations under the GDPR, and since the GDPR will make it harder for companies to obtain third-party data, DMPs may have to rely more on first-party and second-party data than third-party data, according to ad tech executives and legal counsels. “Third-party data will become less accessible because of GDPR, which is likely to cause DMPs to focus more on first-party and second-party data. But it doesn’t mean that third-party data will become irrelevant, or DMPs will stop relying on it.” This is because ad tech companies are known to process data based on inferred consent through opt-out mechanisms, but GDPR makes reliance on individuals’ consent as the lawful basis for processing data, according to Burr. Douglas McPherson, chief legal officer for OpenX, thinks that whether – and how – the GDPR will affect DMP operations boils down to how a company defines its role under the regulation: Is it a “Data controller” that “Determines the purposes and means of the processing of personal data?” Is it a “Data processor” that “Processes personal data on behalf of the controller?” Or is it a “Data subprocessor” that a data processor engages to conduct further processing in addition to what the data processor is doing? The role determines how and why a company collects personal data, said McPherson. The data processor can’t engage the subprocessor without informing the data controller. McPherson believes that while DMPs typically act like data processors, they will also be viewed under the GDPR as data controllers in some cases, like when they collect data from credit card companies, look for users’ purchase patterns, create user profiles and then create data products to sell, for instance. As data controllers, DMPs will have lots of legal responsibilities under the GDPR, like maintaining records of data-processing activities, as well as implementing an internal policy on handling data and data security. “But GDPR will change that. If there’s a data breach, for example, data controllers will get a fine of €20 million or 4 percent of their global revenue.” “If GDPR requires more robust consent than the existing laws, DMPs may need to ask brands and publishers they work with to obtain explicit consent from individuals, or DMPs can look for first-party data or other data sources.” While Burr thinks that changes in the treatment of consent under the GDPR are “An important derogation” for DMPs that usually aggregate and analyze pseudonymised website data and log data on publisher, retailer, and advertiser websites. “In many cases, the DMP is acting solely as the processor who is processing first-party data at the direction of the controller or the client. In some instances a DMP may act as a data controller,” said Morris. Despite these challenges, ad tech executives and legal counsels interviewed for this story believe the GDPR creates opportunities for quality data and better data management.

Privacy Laws & Business

“The ICO’s current regulatory style may have to change somewhat under the EU DP General Data Protection Regulation. Ian Bourne, DP Policy Delivery Group Manager, ICO, said at a PL&B/Browne Jacobson seminar in London yesterday:”The ICO’s…. Please login or register to see this full article. The ICO says that in the next six months, it will issue guidance on: An overview of the GDPR Individuals’ rights Contracts Consent, and a Privacy notices code of practice. The ICO also continues to be active at the European level…. Please login or register to see this full article. In a speech delivered on Thursday, 29 September in London, the United Kingdom’s new Information Commissioner, Elizabeth Denham, stated that UK businesses with international clients and partners would be wise to carry on with their GDPR preparation…. Please login or register to see this full article. “Speaking in Parliament on 12 December, Data Protection Minister, Matt Hancock, confirmed that the government is now working on the overall approach and the details of EU Data Protection Regulation implementation.”Details of any new…. Please login or register to see this full article. The ICO has added some information to its GDPR guidance document, indicating the areas where the EU Article 29 Data Protection Working Party will issue guidance, and areas on which the ICO is currently concentrating. The ICO aims to publish guidan…. Please login or register to see this full article. The government is committed to bringing the EU Data Protection Regulation into force in full by May 2018 and will bring forward legislation in the next parliamentary session to amend the Data Protection Act 1998. Giving evidence at the House of Lords EU Home Affairs Sub-Committee on 8 March, Denham said that an…. Please login or register to see this full article. The ICO is leading an EU Article 29 Working Party on this issue – the WP…. Please login or register to see this full article. In the Queen’s Speech today, the UK government has made its intention clear to legislate to ‘ensure that the United Kingdom retains its world-class regime protecting personal data’ by implementing the EU…. Please login or register to see this full article. The Data Protection Network has published guidance on legitimate interests under the EU General Data Protection Regulation. The Data Protection Bill will implement into UK law the GDPR derogations and the EU Data Protection Law Enforcement Directive, the government announced today. The majority of the EU General Data Protection Regulation provisions will…. Please login or register to see this full article. An amendment to the Data Protection Bill, adopted by the House of Lords on 11 December, will diverge from the GDPR by…. The ICO has today issued draft guidance on the protection of children’s data under the GDPR. The new regime requires some changes as parental consent is required for the use of information society services unless they are about offering counsellin…. In a notice issued yesterday, the EU Commission makes clear that ‘in view of the considerable uncertainties, in particular concerning the content of a possible withdrawal agreement, all stakeholders processing personal data are reminded of legal…..

GDPR: 8 things HR leaders need to do to be GDPR ready

On May 25 2018, the General Data Protection Regulation will come into effect, affecting any organization that processes the personal data of individuals who are in the EU. Organizations have less than a year to ensure that they are ready for GDPR compliance, or risk heavy fines and a damaged reputation. The protection of personal data is a serious matter, and so GDPR has been introduced to strengthen and future-proof the ways in which individual data is protected. As gatekeepers and processors of personal employee data, HR leaders and teams have a critical role to play. All personal data must be processed lawfully; therefore, HR leaders – working with IT and legal departments – will need to review their existing processes for collecting, handling and protecting employee personal data. Checking that there are sufficient ‘version control’ and review processes in place for HR policies, to ensure that they are up-to-date and reflective of the GDPR Identifing all HR and People systems, and assessing their related risk based on existing data protection rules, such as ISO27001 Considering the personal data collected and any necessary consent gathered at all stages of the employee journey for your entire workforce – from candidate to employee – to ensure that these meet the requirements of the GDPR. 2. A DPO’s duties include advising on the GDPR, raising awareness of company policies, training staff involved in processing operations, and liaising with the data protection supervisory authorities. Having all your people data in one place enables you to have a single source of truth and record of data, making it easier to locate what you need, when you need it, and provide access to your employees when they have requested it. Whilst you are not automatically required to refresh consents, if existing consents do not meet the GDPR standards, then unless you can establish another lawful basis for processing that data, you will have to revisit consent. The rules on how data is kept and used will become much more stringent and it is vital that HR and People teams become more transparent, communicating to employees exactly how their data is processed. HR teams must understand their roles and responsibilities regarding data protection, and how they will handle any data breach or data loss. The GDPR also requires even further information to be provided to individuals, e.g. the right to lodge a complaint with a supervisory authority, the period for which data will be stored, the right to withdraw consent and, in some cases, the right to data portability. Employers should consider using self-service to capture employee consent, provide access to personal data records, provide the ability to request data changes or transfers, and any other updates your workforce might need. HR and People teams, or whoever is responsible for how data is processed in the organization, will have to notify supervisory authorities of personal data breaches within 72 hours, unless the data is encrypted or doesn’t identify individuals. GDPR applies to any organization worldwide that handles the personal data of individuals who are based in the EU, so there are likely implications for your entire global organization, not just those located in the EU member states. Employees will have to be informed of their rights and how their personal data will be processed, and HR and People teams will need to consider how they orchestrate this at the global level, whilst maintaining compliance with other local laws.

The BVRLA on Preparing for GDPR

The new General Data Protection Regulation comes into effect on 25 May 2018 marking the biggest overhaul of data protection since the introduction of the current Data Protection Act in 1998. Seen as more of an evolution than a revolution, GDPR is effectively a more detailed and robust version of the current regulation, placing greater emphasis on the rights of individuals and imposing tougher penalties on those organisations who fall short of meeting their data protection obligations. The GDPR applies to data processing carried out by organisations operating within the EU as well as organisations outside the EU that offer goods or services to individuals in the EU. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR so businesses should not let the prospect of Brexit delay preparations. The British Vehicle Rental and Leasing Association recently published findings from its Fleet Technology Survey, revealing that around half of BVRLA members and fleet managers felt ready for GDPR. 54% claimed that their company is clear about its responsibilities under GDPR and 52% claimed that their company has a clear strategy regarding its collection and use of driver and vehicle data. To be adequately prepared for the new rules, some operators may need to completely overhaul their data management processes. The Information Commissioner’s Office understands the importance of having an internationally consistent approach to data protection regulation, stating: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.” Under GDPR, there will be more emphasis on the rights of individuals both in terms of consent and access to their own data. Another area of change is that the new rules place emphasis on shared responsibility, making everybody who handles and processes data liable, not just data controllers. As the automotive industry continues to transition from a sector driven by mechanics to one driven by electronics and software, the issue of data and cyber security will become an increasing concern. The main cyber security threats to connected and automotive vehicles include loss of control, loss of data, leaking or sharing of data, denial of service or malicious manipulation of software, network outage or disruption of power supply and even interception or hijackings. As part of the BVRLA’s Fleet Technology Survey, the association explored views from drivers with regards to data and connected vehicles, and the message was clear. Around seventy percent of BVRLA members and fleet managers believe that vehicle manufacturers have an obligation to provide vehicle data, with 86% saying that they should not have to pay for it. Seventy-nine percent of respondents said they were concerned that vehicle manufacturers would restrict access to telematics data to further their own business goals. “BVRLA Chief Executive, Gerry Keaney said:”Connected vehicle data is rapidly becoming the new currency of the fleet sector and will drive many business models in future. “Our responsibility is clear. The BVRLA will play a lead role in helping the fleet sector work with government and the wider automotive supply chain to ensure that all parties share data in an open, secure and fair way. By doing this, we can make sure that businesses and consumers continue to enjoy a competitive choice of suppliers for fleet management, aftermarket and mobility services.”

GDPR CCTV

The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation. Cloudview asked Andrew Charlesworth, Reader in IT Law at the University of Bristol, to examine the impact of the changing nature of data privacy regulation on the CCTV industry. The resulting paper, Watching the Watchers, shows how changing technology has altered both the data protection environment and public perceptions of what is acceptable to protect their privacy, and explains how it creates opportunities for providers to offer enhanced value services. It explains the key changes that will be required as the GDPR changes the focus of data protection from compliance to accountability. They will need to review and possibly change their privacy policies, but by using new technologies such as cloud they can meet the new regulations while improving data accessibility and opening up new applications for visual data. “Cloud allows selective and secure access to CCTV footage from any device by nominated employees, and it also offers performance improvements such as making data more readily accessible, providing accurate date and time stamping and providing constant updates on camera status so any technical problems can be rectified immediately. It’s up to the industry to use the GDPR as an opportunity to rethink the way that visual data is stored, how it’s secured and ultimately how it can be used to better effect as a business tool rather than purely as a security system.” Until recently the courts had held that damages could only be awarded where a data subject had suffered monetary loss, but in the case of Vidal-Hall V Google Inc the Court of Appeal ruled that damages could be awarded solely for distress. Almost half either don’t have, or aren’t sure if they have, data processing agreements set up with new cloud providers. This is an essential part of GDPR compliance, and ensures that any cloud apps are adhering to data privacy protection requirements when processing customer data. Article 33 of the GDPR states that an organisation must report a data breach within 72 hours. A national data protection authority will then decide how much to fine the organisation for the breach; this could be up to 4pc of the organisation’s global annual turnover, or over 20 million Euros, whichever is greater. People might try to cover up data breaches, rather than reporting them in a less timely manner. One reason for this could be because a significant proportion of survey participants don’t think their organisation could, or aren’t sure if they could, identify and report a data breach within 72 hours. Javvad Malik said: “Organisations with small and overstretched security teams, and limited budgets for cybersecurity, are likely to be extremely worried about the threat of GDPR fines. After all, the potential of having to pay up to 4pc of global turnover could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities. They could also lose customers through reputational damage and even have to consider making redundancies. Set against this backdrop, it’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences. But this could lead to far greater problems for them in the long term.” As for encryption, over a third of respondents said that their organization would refuse to put a backdoor in their customer data if asked to do so by the government.